In a local area network (LAN) such as a corporate network, there is a case in which a monitoring device analyses packets which are transmitted and received by each communication device in the network in order to detect unauthorized access by a device which is not included in the LAN. In this case, when the scale of the network that serves as the target for detection of unauthorized access is large, the load on the monitoring device increases, and thus there is a case in which the packets which are transmitted and received by the communication devices in the network are analyzed by a plurality of monitoring devices. When a plurality of the monitoring devices are used, it is possible to detect the unauthorized access to the network using the analysis results which are obtained by all of the monitoring devices by exchanging the analysis results between the monitoring devices.
FIG. 1 illustrates an example of a network. A corporate network 1 is connected to the Internet 3 via an access network 2. The corporate network 1 includes a firewall device 20, communication devices 10 (10m, 10n, and 10x to 10z), switches 15 (15x to 15z), and monitoring devices 25 (25x to 25z). The communication devices 10 in the corporate network 1 communicate with each other via a communication service network 12, and the monitoring devices 25x to 25z communicate via a monitoring network 17. In the example of FIG. 1, the monitoring device 25x analyses the packets which are transmitted and received by the communication devices 10x to 10z. The monitoring device 25y analyses the packets which are transmitted and received by the communication devices 10m and 10n, and the monitoring device 25z analyses the packets which are transmitted and received by the firewall device 20. In the following example, confidential data is stored in the communication devices 10x to 10z. For example, among communication devices 5a to 5c which are connected to the Internet 3, the communication device 5c establishes communication between the communication device 5c and the communication device 10m with the intent to gain unauthorized access to the communication device 10z in the corporate network 1. Subsequently, the communication device 10m establishes communication with the communication device 10z. As a result, the monitoring device 25y recognizes that the communication device 10m is communicating with the communication device 5c which is not included in the corporate network 1, and that the communication device 10m is communicating with the communication device 10z. The communication device 10z establishes communication with the communication device 5c using a path which does not pass through the communication device 10m. At this time, the monitoring device 25x recognizes that the communication destinations of the communication device 10z are the communication device 10m and the communication device 5c. The monitoring device 25z also recognizes that communication is established between the communication device 10z and the communication device 5c. In this case, by consolidating the analysis results of the monitoring devices 25x to 25z, as illustrated in FIG. 1, it is identified that the communication device 5c is accessing the communication device 10z via the communication device 10m, and is receiving packets from the communication device 10z. 
A network system including servers, clients, and a decoy server is proposed as related technology. In this system, since the address of the decoy server is not published to the clients, clients which attempt to access the decoy server can be said to be infected by a virus. Therefore, when the decoy server detects a client which attempts to access the decoy server, the decoy server transmits a warning to the devices in the network by broadcast indicating that a virus attack is underway (for example, Japanese National Publication of International Patent Application No. 2004-531812). A network system is also proposed in which a boundary relay device which is positioned on the boundary of a network which is provided with a plurality of autonomous systems discards unauthorized packets caused by re-intrusion, and transmits filtering information for discarding the unauthorized packets to all of the boundary relay devices (for example, Japanese Laid-open Patent Publication No. 2002-185539).